Search in sources :

Example 1 with GSSContext

use of org.ietf.jgss.GSSContext in project druid by druid-io.

the class DruidKerberosUtil method kerberosChallenge.

/**
   * This method always needs to be called within a doAs block so that the client's TGT credentials
   * can be read from the Subject.
   *
   * @return Kerberos Challenge String
   *
   * @throws Exception
   */
public static String kerberosChallenge(String server) throws AuthenticationException {
    kerberosLock.lock();
    try {
        // This Oid for Kerberos GSS-API mechanism.
        Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
        GSSManager manager = GSSManager.getInstance();
        // GSS name for server
        GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
        // Create a GSSContext for authentication with the service.
        // We're passing client credentials as null since we want them to be read from the Subject.
        GSSContext gssContext = manager.createContext(serverName.canonicalize(mechOid), mechOid, null, GSSContext.DEFAULT_LIFETIME);
        gssContext.requestMutualAuth(true);
        gssContext.requestCredDeleg(true);
        // Establish context
        byte[] inToken = new byte[0];
        byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length);
        gssContext.dispose();
        // Base64 encoded and stringified token for server
        return new String(base64codec.encode(outToken));
    } catch (GSSException | IllegalAccessException | NoSuchFieldException | ClassNotFoundException e) {
        throw new AuthenticationException(e);
    } finally {
        kerberosLock.unlock();
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid)

Example 2 with GSSContext

use of org.ietf.jgss.GSSContext in project jetty.project by eclipse.

the class SpnegoLoginService method login.

/**
     * username will be null since the credentials will contain all the relevant info
     */
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();
    try {
        // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
        Oid krb5Oid = new Oid("1.3.6.1.5.5.2");
        GSSName gssName = manager.createName(_targetName, null);
        GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY);
        GSSContext gContext = manager.createContext(serverCreds);
        if (gContext == null) {
            LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
        } else {
            while (!gContext.isEstablished()) {
                authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
            }
            if (gContext.isEstablished()) {
                String clientName = gContext.getSrcName().toString();
                String role = clientName.substring(clientName.indexOf('@') + 1);
                LOG.debug("SpnegoUserRealm: established a security context");
                LOG.debug("Client Principal is: " + gContext.getSrcName());
                LOG.debug("Server Principal is: " + gContext.getTargName());
                LOG.debug("Client Default Role: " + role);
                SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
                Subject subject = new Subject();
                subject.getPrincipals().add(user);
                return _identityService.newUserIdentity(subject, user, new String[] { role });
            }
        }
    } catch (GSSException gsse) {
        LOG.warn(gsse);
    }
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid) Subject(javax.security.auth.Subject)

Example 3 with GSSContext

use of org.ietf.jgss.GSSContext in project OpenAM by OpenRock.

the class WindowsDesktopSSO method authenticateToken.

private void authenticateToken(final byte[] kerberosToken, final Set<String> trustedRealms) throws AuthLoginException, GSSException, Exception {
    debug.message("In authenticationToken ...");
    Subject.doAs(serviceSubject, new PrivilegedExceptionAction() {

        public Object run() throws Exception {
            GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
            if (debug.messageEnabled()) {
                debug.message("Context created.");
            }
            byte[] outToken = context.acceptSecContext(kerberosToken, 0, kerberosToken.length);
            if (outToken != null) {
                if (debug.messageEnabled()) {
                    debug.message("Token returned from acceptSecContext: \n" + DerValue.printByteArray(outToken, 0, outToken.length));
                }
            }
            if (!context.isEstablished()) {
                debug.error("Cannot establish context !");
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "context", null);
            } else {
                if (debug.messageEnabled()) {
                    debug.message("Context established !");
                }
                GSSName user = context.getSrcName();
                final String userPrincipalName = user.toString();
                // expected default behaviour.
                if (!trustedRealms.isEmpty()) {
                    boolean foundTrustedRealm = false;
                    for (final String trustedRealm : trustedRealms) {
                        if (isTokenTrusted(userPrincipalName, trustedRealm)) {
                            foundTrustedRealm = true;
                            break;
                        }
                    }
                    if (!foundTrustedRealm) {
                        debug.error("Kerberos token for " + userPrincipalName + " not trusted");
                        final String[] data = { userPrincipalName };
                        throw new AuthLoginException(amAuthWindowsDesktopSSO, "untrustedToken", data);
                    }
                }
                // perform the search.
                if (lookupUserInRealm) {
                    String org = getRequestOrg();
                    String userValue = getUserName(userPrincipalName);
                    String userName = searchUserAccount(userValue, org);
                    if (userName != null && !userName.isEmpty()) {
                        storeUsernamePasswd(userValue, null);
                    } else {
                        String[] data = { userValue, org };
                        debug.error("WindowsDesktopSSO.authenticateToken: " + ": Unable to find the user " + userValue);
                        throw new AuthLoginException(amAuthWindowsDesktopSSO, "notfound", data);
                    }
                }
                if (debug.messageEnabled()) {
                    debug.message("WindowsDesktopSSO.authenticateToken:" + "User authenticated: " + user.toString());
                }
                if (user != null) {
                    setPrincipal(userPrincipalName);
                }
            }
            context.dispose();
            return null;
        }
    });
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) IdRepoException(com.sun.identity.idm.IdRepoException) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) SSOException(com.iplanet.sso.SSOException)

Example 4 with GSSContext

use of org.ietf.jgss.GSSContext in project jdk8u_jdk by JetBrains.

the class MechTokenMissing method main.

public static void main(String[] args) throws Exception {
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);
    String var = /*0000*/
    "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/
    "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
    byte[] token = new byte[var.length() / 3];
    for (int i = 0; i < token.length; i++) {
        token[i] = Integer.valueOf(var.substring(3 * i, 3 * i + 2), 16).byteValue();
    }
    try {
        ctx.acceptSecContext(token, 0, token.length);
    } catch (GSSException gsse) {
        System.out.println("Expected exception: " + gsse);
    }
}
Also used : GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext)

Example 5 with GSSContext

use of org.ietf.jgss.GSSContext in project wildfly by wildfly.

the class GSSTestClient method getName.

// Public methods --------------------------------------------------------
/**
     * Retrieves the name of calling identity (based on given gssCredential) retrieved from {@link GSSTestServer}.
     *
     * @param gssCredential
     * @return
     * @throws IOException
     * @throws GSSException
     */
public String getName(final GSSCredential gssCredential) throws IOException, GSSException {
    LOGGER.trace("getName() called with GSSCredential:\n" + gssCredential);
    // Create an unbound socket
    final Socket socket = new Socket();
    GSSContext gssContext = null;
    try {
        socket.connect(new InetSocketAddress(host, port), GSSTestConstants.SOCKET_TIMEOUT);
        DataOutputStream dos = new DataOutputStream(socket.getOutputStream());
        DataInputStream dis = new DataInputStream(socket.getInputStream());
        LOGGER.debug("Sending NAME command.");
        dos.writeInt(GSSTestConstants.CMD_NAME);
        dos.flush();
        GSSManager manager = GSSManager.getInstance();
        gssContext = manager.createContext(manager.createName(spn, null), Constants.KERBEROS_V5, gssCredential, GSSContext.DEFAULT_LIFETIME);
        //            gssContext.requestCredDeleg(true);
        gssContext.requestMutualAuth(true);
        gssContext.requestConf(true);
        gssContext.requestInteg(true);
        byte[] token = new byte[0];
        while (!gssContext.isEstablished()) {
            token = gssContext.initSecContext(token, 0, token.length);
            if (token != null) {
                dos.writeInt(token.length);
                dos.write(token);
                dos.flush();
            }
            if (!gssContext.isEstablished()) {
                token = new byte[dis.readInt()];
                dis.readFully(token);
            }
        }
        token = new byte[dis.readInt()];
        dis.readFully(token);
        MessageProp msgProp = new MessageProp(false);
        final byte[] nameBytes = gssContext.unwrap(token, 0, token.length, msgProp);
        return new String(nameBytes, GSSTestConstants.CHAR_ENC);
    } catch (IOException e) {
        LOGGER.error("IOException occurred.", e);
        throw e;
    } finally {
        try {
            socket.close();
        } catch (IOException e) {
            LOGGER.error("IOException occurred", e);
        }
        if (gssContext != null) {
            try {
                gssContext.dispose();
            } catch (GSSException e) {
                LOGGER.error("GSSException occurred", e);
            }
        }
    }
}
Also used : GSSException(org.ietf.jgss.GSSException) InetSocketAddress(java.net.InetSocketAddress) DataOutputStream(java.io.DataOutputStream) GSSContext(org.ietf.jgss.GSSContext) GSSManager(org.ietf.jgss.GSSManager) MessageProp(org.ietf.jgss.MessageProp) IOException(java.io.IOException) DataInputStream(java.io.DataInputStream) Socket(java.net.Socket)

Aggregations

GSSContext (org.ietf.jgss.GSSContext)53 GSSManager (org.ietf.jgss.GSSManager)36 GSSName (org.ietf.jgss.GSSName)35 Oid (org.ietf.jgss.Oid)34 GSSException (org.ietf.jgss.GSSException)28 GSSCredential (org.ietf.jgss.GSSCredential)23 Subject (javax.security.auth.Subject)19 PrivilegedActionException (java.security.PrivilegedActionException)13 LoginException (javax.security.auth.login.LoginException)12 IOException (java.io.IOException)10 LoginContext (javax.security.auth.login.LoginContext)8 Principal (java.security.Principal)5 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5 AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)5 Test (org.junit.Test)5 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)4 SecurityTest (org.apache.drill.categories.SecurityTest)3 SystemOptionManager (org.apache.drill.exec.server.options.SystemOptionManager)3 AuthenticationException (com.hortonworks.registries.auth.client.AuthenticationException)2